In Part 1, we saw the basic security concerning wordpress which we can implement without using any plugin just by tweaking and editing some files. Part 2 will discuss about how to make your blog more secure by using some of the advanced security based plugins. Though there are thousands of plugins available for this, I will discuss only the plugins which are good and effective.

Securing WordPress using plugins

Listed below are methods to enhance security of your blog with use of plugins (All Plugins work on WordPress 2.7 and 2.8):

  1. Comment Security: Listed below are some of the plugins which implement security in your blog’s comment sections:
    1. Akismet: This is one of the most basic comment security plugins. Akismet needs a API Key to function which can be accessed from WordPress.com. Akismet is a self learning plugin which detects spam by their pattern and blocks it from showing.
      Alternative: Defensio – Works in same way as Akismet. Deactivate Akismet to use Defensio.
      SpamTask – Works same as above but does not require API Key. You can check stats by registering.
    2. reCAPTCHA Form Plugin: It is based on reCAPTCHA technology which is an hardened and effective form of a simple captcha.
      ReCaptcha For WordPress
      Alternatives:
      Block-Spam-By-Math – Math Based Captcha.
      Math Based Captcha
      trymath Math (in form of ASCII Art) based captcha.
      Math Based ASCII Captcha
      VidoopCAPTCHA – Image Based Captcha
      Vidoop Captcha
      Geo Captcha – Shows Captcha only to users from specific countries.
      Captcha shows only to users from some specified countries
      WP Clickcha – Clicking based Captcha instead of typing.
      ClickCha
      Search for Captcha Based Plugins – You will find the one most suitable for your purpose.
    3. NOSpamNX: It adds a hidden comment field which spambots 99.9% fill and get blocked. Normal users leave it empty and are let through. For WordPress 2.7.1 and below use Yawasp – Yet Another WordPress Anti Spam Plugin
    4. WP-SpamFree Anti-Spam: It is a plugin which uses Javascript and cookies combination to stop comment, pingback and trackback spam.
    5. Antispam Bee: It is a plugin which replaces comment field to catch spammers.
    6. WP Captcha-Free: It is a plugin which works by validating a hash based on time and other parameters while submission of comment using AJAX.
  2. IP/Behaviour Blocking Based Plugins:
    1. Bad Behavior: It blocks IPs and bots from being your blog served based on their pattern, behaviour and IP Addresses. It can work with other Anti-Spam Plugins to secure your blog and saves bandwidth too.
    2. AVH First Defense Against Spam: It blocks your blog from spammers by checking IPs from a public spammer database, your blacklist and by blocking wp-post-comments.php file(a method without plugin is also there for this).
    3. WordPress Firewall: It blocks spammers from using common parameters into the blog’s url to hack and even blocks sql injection type attacks. It can also block file uploads. Learn more about its filters.
  3. Login/Registration Based Protection:
    1. Semisecure Login Reimagined: It enhances the security of a login page by encrypting the Username and passwords. It is useful if you don’t have SSL certificate or the resources for it. The plugin requires Javascript to work and the webserver to have PHP with OpenSSL Support.
    2. Invisible Defender: It protects registration, login and comment forms by including 2 hidden fields which spambots will fill but not a user.
    3. Limit Login Attempts: It limits the number of retries on failed logging by checking IP or cookies. It can log login attempts and notifies administrator.
    4. Admin SSL: It forces SSL Admin on Login, Admin, Posts, Pages and everywhere with both Private and Shared SSL. WordPress 2.8 Download link.
    5. Stealth Login: It allows you to change the login link and prevents access to wp-login.php directly from spammers.
    6. Restrict Login by IP: It restricts the WordPress login to certain limited ips and gives a error for everybody else.
    7. Invalidate Logged Out Cookies: It invalidates data hold onto the cookies once a user logs out thus preventing the data from being used even if the cookie gets stolen. You need to logout manually for making this protection work.
    8. Chap Login: Encrypts your login details on login page using Chap protocol.
    9. Simple LDAP Authentication: It allows wordpress to authenticate users against a LDAP Server.
  4. WordPress Monitoring Based Protection:
    1. WordPress File Monitor: It monitors wordpress installation for added/deleted/changed files and notifies the administrator on detecting a change.
    2. TAC (Theme Authenticity Checker): It scans all themes for malicious or unwanted code or even static links.
    3. WordPress Security Scan: It scans wordpress installation for vulnerabilities and suggest corrective actions. It also removes WP version information, removes wordpress generator tag and protects wordpress admin and database.
    4. Audit Trail: It keeps track of what goes on inside your blog. It records many types of actions and maintain its log. It can record full content of posts/pages which you can restore to anytime.
  5. General Security Based:
    1. Antivirus for WordPress: It protects blog against Exploits and Spam Injections.
    2. TTC WordPress Security Tool: It blocks cross-site script elements, bad ip addresses, bots and bad user-agents.
    3. Secure WordPress: It implements many of the tweaks mentioned in part 1 like removes error information from login page, removes rsd, wlw and version tag from header, remove core/plugin/theme update information for non-admin and adds index.html to plugins directory.

If you feel, I have missed out any plugin or any tweak for securing wordpress, do discuss it in comments below.

Author:

Navjot Singh is a wordpress freak and blogs about blogging and wordpress on his blog NSpeaks.

14 Comments

  1. whoaaah, finally! a great list of security measures for wordpress…

    Thank you so much for this excellent resource.

    Keep em comin’

  2. Awesome list, love it! Really great. just one thing: I use SpamTask and it doesn’t require you to activate anywhere to see statistics. :) It’s right there in wp-admin.

    This is bookmarked in my browser. Will look it through whenever I star a new blog. ;)

  3. http://www.safewaystorage.info/www-6ravelguard-com 9rw g8j [url=http://www.safewaystorage.info/www-t6ravelguard-com] 4t6 7qw [/url] 8ws zch [url=http://www.safewaystorage.info/www-yravelguard-com] 8ws zch [/url] online blackjack [url=http://freeblackjackcash.com/] online blackjack [/url] cheap car insurance [url=http://www.metacafe.com/watch/2758477/insrance_quotes_online_auto_home_life_health_other/] cheap car insurance [/url]

  4. @above comment

    spam comment for a post on wordpress security and spam protection… ironic.

  5. hahaha… ironic!

  6. hi, thanks.

  7. Searching for cheapest Automotive insurance rates? The lowest priced car insurance rates are likely if you’re ready do some work to learn about your insurance plan and then deal with a number of insurance companies to get estimates that will result in the lowest car insurance rates. Click below to view a simple Ten Point checklist to get the Best Available Wisconsin Automotive Insurance Rates!

  8. the price of insurance quotes would vary from company to company and i always check for the lowest priced insurance quotes ,:’

  9. The quick brown

  10. It is most informative and useful blog. It can protect the some of the plug-in which implement security in your blog’s comment sections. Of course it is needed for blog. Thank for well tutorial.

Trackbacks/Pingbacks

  1. sabahdaily » Optimizing Wordpress Blog for Speed - [...] by implementing security tips in Securing your Wordpress Install the Foolproof way – Part 1 and Part 2. But maintaining your …
  2. Optimizing Wordpress Blog for Speed | Designic - [...] by implementing security tips in Securing your WordPress Install the Foolproof way – Part 1 and Part 2. But …

Leave a Comment

Feedback Form
Customer Feedback